Number and configuration of domains and trusts Defines the domain model in use

3.1 © 2004 Pearson Education, Inc.

Exam 70-297 Designing a Microsoft® Windows® Server 2003 Active Directory and Network Infrastructure

Lesson 3: Examining the Current Directory Services Infrastructure

Number and configuration of domains and trusts

Defines the domain model in use

Of utmost concern when upgrading rather than restructuring

Types of domain models used in Windows NT

Single master

Multi-master

Mesh (full trust)

Examining a Windows NT Infrastructure (2)

(Skill 1)




Single master domain model

Consists of one account domain trusted by one or more resource domains

User accounts are contained in the account domain (also called master domain)

Resources are administered from the resource domain

Advantage: centralized model with well-defined administrative boundary

Disadvantages: reduced user limits and potential for excessive WAN traffic


(Skill 1)




Multi-master domain model

Consists of multiple account and resource domains, with master domains all trusting each other and resource domains trusting all master domains

Accounts are contained in all master domains

Resources are administered in the resource domain

Advantages: fairly well-centralized, strong administrative boundaries, and higher account limits than single master

Disadvantages: increased complexity and still some potential for excessive WAN traffic


(Skill 1)




Mesh (full trust) domain model

Contains multiple domains that all trust all other domains

Accounts and resources are administered in each domain

Advantages: unlimited account limits and few traffic problems

Disadvantages: very complex administrative structure, difficult to administer if more than four domains, requires defining and administering an excessive number of trust relationships


(Skill 1)




Administrative model

Normally follows domain structure

Important to understand because the model helps define administrative boundaries in new network

Most accurate way to determine is to examine daily functions of each member of administrative team

Other methods

Interviewing administrative or IT management

Examining permissions, rights, and group memberships

Helpful to create diagram once examination is complete


(Skill 1)




Replication

Almost entirely dependent on domain model chosen and domain controller layout

Windows NT uses replicator service to replicate file and folder structures to specific servers

In Windows Server 2003 and Windows 2000 Server, this function has been taken over by the File Replication Service (FRS)

During design process, you must know which folders will need to be replicated by FRS, which almost always includes a subset of the files currently replicated by the replicator service


(Skill 1)




System policies

Currently configured system policies provide a good starting point on which to base Group Policies

System policies also define rights assignments, which are important when designing the security and administrative structure of the new network


(Skill 1)




Group structure

Must take into account global and local group memberships

In many Windows NT networks, global groups are used almost exclusively, which leads to a large number of global groups

Rearrange group structure to utilize both global and local groups and follow the Microsoft rule

Microsoft rule (A-G-DL-P): Put user accounts (A) into global groups (G), put global groups into domain local groups (DL), and then grant permissions (P)


(Skill 1)




Domain controller configuration If reusing existing domain controllers, hardware specifications

become critical

Check compatibility and ability to scale

Perform a pilot upgrade if possible

If a pilot is not possible, use Performance Monitor or third-party tools to determine peak number of interactive logins that must be supported by each domain controller (primary metric)

RAM, disk, and network requirements fairly static

Processor requirements depend on number of users interactively logging in during peak period

Take other services into account


(Skill 1)




Domain controller placement

Analysis of current placement helps determine the areas of the network that may be prone to performance or reliability constraints


(Skill 1)




Figure 3-1 Single master domain model

(Skill 1)




Figure 3-2 Multi-master domain model

(Skill 1)




Figure 3-3 Mesh domain model

(Skill 1)




Figure 3-4 A diagram of a simple administrative

model

(Skill 1)




Figure 3-5 The Microsoft Rule

(Skill 1)




Redesigning a Windows 2000 Active Directory-based infrastructure typically requires a more thorough examination of the existing infrastructure than when redesigning a Windows NT infrastructure

Active Directory adds significant complexity to the environment

Examining a Windows 2000 Infrastructure

(Skill 2)




Factors to consider when designing an Active Directory-based network

Forest and tree design

Existing manual trust relationships

DNS configuration

Site configuration

Schema modifications

Organizational unit (OU) design

Examining a Windows 2000 Infrastructure (2)

(Skill 2)




Factors to consider when designing an Active Directory-based network

Active Directory security settings

Group Policy

Sysvol requirements

Global catalog server requirements

Security and distribution group configuration

Flexible Single Master of Operations (FSMO) role configuration


(Skill 2)




Forest and tree design

Forest design affects number of schemas, administrative model, number of global catalogs, and trust design

If a network contains more than one forest, you should know the reasoning behind that decision

Importance of tree design

It describes the network’s domain naming model

It defines the configuration of default trust relationships within the forest(s)


(Skill 2)




Existing manual trust relationships

Types of manual trusts

Shortcut trusts (manual two-way transitive trusts, also known as explicit trusts)

One-way trusts (typically established between Windows NT and Active Directory domains or different Active Directory forests)

Must understand reasoning behind why they exist, because it may influence new design


(Skill 2)




Site configuration

Sites are commonly misconfigured

Pay special attention to site links and the relationship between physical topology and site topology

Mistakes can lead to significantly higher WAN link usage


(Skill 2)




Schema modifications

Of concern because schema modifications can make drastic changes to the functionality of Active Directory

Examine the number and type of schema modifications, organization’s schema modification guidelines, and reasoning

Failure to take schema modifications into account can lead to last minute schema modifications, which can cause massive Active Directory replication and other problems


(Skill 2)





One of most significant factors in Active Directory design

Affects administrative delegation, object organization, and Group Policy application within each domain


(Skill 2)





Need to analyze the certain facets

Structure of the OU design

Number of levels present in the OU design

Organization (or lack thereof) in the design

Delegation of permissions

Group Policies applied to OUs

Use of Block Inheritance and No Override permissions

Contents of each OU


(Skill 2)




Active Directory security settings

Related to OU design

Typically applied to one or more groups within the structure in the form of delegated permissions applied to the OU

Sometimes applied to individual objects

All should be examined thoroughly


(Skill 2)




Group Policy

Settings have a significant impact on operation of systems within the network

Note which Group Policy Objects (GPOs) are applied at site, domain, and OU levels.

Examine each GPO to determine their configured settings

Examine use of No Override and Block Inheritance

Examine permissions configured on each Group Policy


(Skill 2)




Global catalog server requirements

Examine locations, paying special attention to locations that do not contain any global catalog servers

Examine the configuration of each existing global catalog server

Examine reliability and performance statistics

Examine network traffic related to global catalog replication and queries


(Skill 2)




Flexible Single Master of Operations (FSMO) role configuration

Examine placement of these roles closely, because they are so important

Make sure in new design that you transfer roles as necessary to achieve maximum level of reliability and redundancy


(Skill 2)




FSMO role configuration

Obtain the following information on servers currently hosting FSMO rolesServer hardware configuration

Server performance and reliability statistics

Backup records or logs

Other services configured

Security settings

Whether the server is a global catalog server

Whether the server hosts more than one FSMO role


(Skill 2)




Figure 3-9 Analyzing Group Policy application

(Skill 2)

Documents

Number and configuration of domains and trusts Defines the domain model in use